Analysis of the Principles of Binius STARKs and Thoughts on Optimization

1 Introduction

A major reason for the inefficiency of STARKs is that most numerical values in practical programs are relatively small, such as indexes in for loops, boolean values, counters, etc. However, to ensure the security of proofs based on Merkle trees, many additional redundant values occupy the entire field when using Reed-Solomon encoding to expand the data, even though the original values themselves are very small. To address this issue, reducing the size of the field has become a key strategy.

The encoding bit width of the 1st generation STARKs is 252 bits, the encoding bit width of the 2nd generation STARKs is 64 bits, and the encoding bit width of the 3rd generation STARKs is 32 bits, but there is still a lot of wasted space in the 32-bit encoding width. In comparison, the binary field allows direct bit manipulation, making the encoding compact and efficient without any wasted space, which is the 4th generation STARKs.

Compared to recent research findings on finite fields such as Goldilocks, BabyBear, and Mersenne31, the study of binary fields dates back to the 1980s. Currently, binary fields are widely used in cryptography, with typical examples including:

• Advanced Encryption Standard ( AES ), based on F28 field;

• Galois Message Authentication Code ( GMAC ), based on the F2128 field;

• QR code, using Reed-Solomon encoding based on F28;

• The original FRI and zk-STARK protocols, as well as the Grøstl hash function that entered the SHA-3 finals, which is based on the F28 field, is a hash algorithm very suitable for recursion.

When using smaller fields, the extension field operation becomes increasingly important for ensuring security. The binary field used by Binius completely relies on extension fields to guarantee its security and practical usability. Most of the polynomials involved in Prover computations do not need to enter the extension field and can operate solely within the base field, achieving high efficiency in small fields. However, random point checks and FRI calculations still need to delve into larger extension fields to ensure the required level of security.

When constructing a proof system based on binary fields, there are two practical issues: the size of the field used to compute the trace representation in STARKs should be greater than the degree of the polynomial; during the Merkle tree commitment in STARKs, Reed-Solomon encoding is required, and the size of the field should be greater than the size after encoding expansion.

Binius proposed an innovative solution to handle these two issues separately, achieving this by representing the same data in two different ways: first, using multivariable ( specifically multivariate ) polynomials instead of univariate polynomials, representing the entire computation trajectory through its values on "hypercubes" (; secondly, since the length of each dimension of the hypercube is 2, it cannot perform standard Reed-Solomon expansion like STARKs, but the hypercube can be viewed as a square ), on which Reed-Solomon expansion can be based. This method greatly enhances coding efficiency and computational performance while ensuring security.

2 Principle Analysis

The construction of most current SNARKs systems typically includes the following two parts:

• Information-Theoretic Polynomial Interactive Oracle Proof, PIOP(: PIOP serves as the core of the proof system, transforming the input computational relations into verifiable polynomial equations. Different PIOP protocols allow the prover to gradually send polynomials through interaction with the verifier, enabling the verifier to validate the correctness of the computation by querying the evaluation results of a small number of polynomials. Existing PIOP protocols include: PLONK PIOP, Spartan PIOP, and HyperPlonk PIOP, each of which handles polynomial expressions differently, thereby affecting the performance and efficiency of the entire SNARK system.

• Polynomial Commitment Scheme )Polynomial Commitment Scheme, PCS (: The polynomial commitment scheme is used to prove whether the polynomial equations generated by PIOP hold. PCS is a cryptographic tool that allows the prover to commit to a certain polynomial and later verify the evaluation results of that polynomial while hiding other information about the polynomial. Common polynomial commitment schemes include KZG, Bulletproofs, FRI ) Fast Reed-Solomon IOPP (, and Brakedown, among others. Different PCS have different performance, security, and applicable scenarios.

According to specific requirements, choose different PIOP and PCS, and combine them with suitable finite fields or elliptic curves to construct proof systems with different attributes. For example:

• Halo2: a combination of PLONK PIOP and Bulletproofs PCS, based on the Pasta curve. Halo2 is designed with a focus on scalability and the removal of the trusted setup in the ZCash protocol.

• Plonky2: Combines PLONK PIOP with FRI PCS, based on the Goldilocks field. Plonky2 is designed for efficient recursion. When designing these systems, the chosen PIOP and PCS must match the finite field or elliptic curve being used to ensure the system's correctness, performance, and security. The choice of these combinations not only affects the size of SNARK proofs and verification efficiency but also determines whether the system can achieve transparency without a trusted setup, and whether it can support extended functionalities such as recursive proofs or aggregate proofs.

Binius: HyperPlonk PIOP + Brakedown PCS + binary field. Specifically, Binius includes five key technologies to achieve its efficiency and security. First, the arithmetic based on tower of binary fields )towers of binary fields( forms the basis of its computation, enabling simplified operations within the binary field. Second, Binius adapted the HyperPlonk product and permutation checks in its interactive Oracle proof protocol )PIOP(, ensuring secure and efficient consistency checks between variables and their permutations. Third, the protocol introduces a new multilinear shift proof, optimizing the efficiency of verifying multilinear relationships over small fields. Fourth, Binius employs an improved Lasso search proof, providing flexibility and robust security for the search mechanism. Lastly, the protocol utilizes a small field polynomial commitment scheme )Small-Field PCS(, enabling it to implement an efficient proof system over binary fields and reducing the overhead typically associated with large fields.

) 2.1 Finite Fields: Arithmetic based on towers of binary fields

Towered binary fields are key to achieving fast verifiable computation, mainly due to two aspects: efficient computation and efficient arithmetic. Binary fields essentially support highly efficient arithmetic operations, making them an ideal choice for performance-sensitive cryptographic applications. Additionally, the structure of binary fields supports a simplified arithmetic process, which means that operations performed over binary fields can be represented in a compact and easily verifiable algebraic form. These features, combined with the ability to fully leverage their hierarchical characteristics through tower structures, make binary fields particularly suitable for scalable proof systems like Binius.

"Canonical" refers to the unique and direct representation of elements in a binary field. For example, in the simplest binary field F2, any k-bit string can be directly mapped to a k-bit binary field element. This is different from prime fields, where a prime field cannot provide such a canonical representation within a given number of bits. Although a 32-bit prime field can fit into 32 bits, not every 32-bit string can uniquely correspond to a field element, while binary fields have the convenience of this one-to-one mapping. In the prime field Fp, common reduction methods include Barrett reduction, Montgomery reduction, and special reduction methods for specific finite fields such as Mersenne-31 or Goldilocks-64. In the binary field F2k, common reduction methods include special reduction ( used in AES ), Montgomery reduction ### used in POLYVAL (, and recursive reduction ) used in Tower (. The paper "Exploring the Design Space of Prime Field vs. Binary Field ECC-Hardware Implementations" points out that binary fields do not require carry in addition and multiplication operations, and squaring in binary fields is very efficient because it follows the simplified rule )X + Y (2 = X2 + Y 2.

As shown in Figure 1, a 128-bit string: this string can be interpreted in various ways in the context of binary fields. It can be viewed as a unique element in a 128-bit binary field, or parsed as two 64-bit tower field elements, four 32-bit tower field elements, sixteen 8-bit tower field elements, or 128 F2 field elements. This flexibility in representation does not require any computational overhead; it is merely a typecast of the bit string )typecast(, which is a very interesting and useful property. At the same time, small field elements can be packed into larger field elements without incurring additional computational overhead. The Binius protocol takes advantage of this feature to improve computational efficiency. In addition, the paper "On Efficient Inversion in Tower Fields of Characteristic Two" discusses the computational complexity of performing multiplication, squaring, and inversion operations in n-bit tower binary fields decomposed into m-bit subfields ).

( 2.2 PIOP: Adapted HyperPlonk Product and Permutation Check ------ Applicable to binary fields

The PIOP design in the Binius protocol draws on HyperPlonk and employs a series of core verification mechanisms for validating the correctness of polynomials and multivariable sets. These core checks include:

1. GateCheck: Verify whether the confidential witness ω and public input x satisfy the circuit computation relation C)x, ω(=0, to ensure the circuit operates correctly.

2. PermutationCheck: Verify whether the evaluation results of two multivariate polynomials f and g on the Boolean hypercube are a permutation relation f)x### = f(π)x(), to ensure the consistency of the arrangement among polynomial variables.

3. LookupCheck: Verify whether the evaluation of the polynomial is in the given lookup table, i.e., f(Bµ( ⊆ T)Bµ), ensuring that certain values are within the specified range.

4. MultisetCheck: Check whether two multivariable sets are equal, namely {(x1,i,x2,)}i∈H={(y1,i,y2,)}i∈H, ensuring consistency among multiple sets.

5. ProductCheck: Check whether the evaluation of a rational polynomial on the Boolean hypercube equals a declared value ∏x∈Hµ f(x) = s, to ensure the correctness of the polynomial product.

6. ZeroCheck: Verify whether a multivariable polynomial is zero at any point on the Boolean hypercube ∏x∈Hµ f(x) = 0, ∀x ∈ Bµ, to ensure the distribution of the polynomial's zeros.

7. SumCheck: Detecting whether the sum of a multivariate polynomial equals the declared value ∑x∈Hµ f(x) = s. By transforming the evaluation problem of multivariate polynomials into the evaluation of univariate polynomials, it reduces the computational complexity for the verifier. Furthermore, SumCheck also allows for batching by introducing random numbers to construct linear combinations for batch processing of multiple sum verification instances.

8. BatchCheck: Based on SumCheck, it verifies the correctness of multiple multivariate polynomial evaluations to improve protocol efficiency.

Although Binius and HyperPlonk have many similarities in protocol design, Binius has made improvements in the following three areas:

• ProductCheck Optimization: In HyperPlonk, ProductCheck requires that the denominator U is non-zero everywhere on the hypercube, and the product must equal a specific value; Binius simplifies this check by specializing that value to 1, thereby reducing computational complexity.

• Handling of Division by Zero Problem: HyperPlonk fails to adequately handle division by zero situations, leading to an inability to assert the non-zero problem of U on the hypercube; Binius correctly addresses this issue, as even in cases where the denominator is zero, Binius's ProductCheck can continue processing, allowing for extension to any product value.

• Cross-column PermutationCheck: HyperPlonk does not have this feature; Binius supports PermutationCheck across multiple columns, allowing Binius to handle more complex polynomial arrangement scenarios.

Therefore, Binius improved the existing PIOPSumCheck mechanism, enhancing the flexibility and efficiency of the protocol, especially in providing stronger functional support when dealing with more complex multivariate polynomial verification. These improvements not only addressed the limitations in HyperPlonk but also laid the foundation for future proof systems based on binary fields.

( 2.3 PIOP: New multilinear shift argument------Applicable to boolean hypercube

In the Binius protocol, the construction and processing of virtual polynomials is one of the key technologies, effectively generating and manipulating polynomials derived from input handles or other virtual polynomials. Here are two key methods:

• Packing: This method involves